Howto log multiple sftpd instances with their chroot shared via NFS

Peter Stuge peter at stuge.se
Fri Oct 1 01:16:35 AEST 2021 

Hi Hildgard,

Hildegard Meier wrote:
> > 4192 /usr/sbin/sftpd is likely unrelated to OpenSSH.
> 
> To have a clean seperation of the standard sshd service on port 22
> and our sftp server that listens on another port, and both have and
> shall have really nothing to do which each other, I created a new
> sshd instance named "sftpd":

I understand! This could actually make it much easier to use a local
build for the standalone sftp server. Does the patch idea seem viable?


> [Service]
> EnvironmentFile=-/etc/default/sftpd
> ExecStartPre=/usr/sbin/sftpd -t
> ExecStart=/usr/sbin/sftpd -D $SFTPD_OPTS -f /etc/sftpd/sftpd_config
> 
> Important for correct autostart of sftpd on boot is:
> [Unit]
> After=network.target auditd.service sshd.service
> 
> Because sftpd needs to be started after sshd because only sshd
> creates /run/sshd/ and that is needed by sftpd (hard compiled in sshd).

systemd creates /run/sshd for the sshd.service, it's not great that
the sftpd service needs to use the same path.

A local sshd build allows cleanly solving that as well.


These commands build an OpenSSH-8.8p1 sshd with my sftp-server patch
and the alternate privsep directory:

git clone https://anongit.mindrot.org/openssh.git &&
cd openssh &&
git checkout -b v88_sftplog V_8_8_P1 &&
wget -O 0001-sftplog.patch \
  https://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210930/9b40e2d4/attachment.bin &&
git am 0001-sftplog.patch &&
autoreconf -fi -I m4 &&
./configure --prefix=/usr/local/sftpd --with-privsep-path=/run/sftpd &&
make sshd

Thanks to --prefix this sshd will not interfere with anything installed
via package management. Place configuration and keys (or symlinks) in
/usr/local/sftpd/etc/ and remember  PidFile /run/sftpd.pid  in sshd_config.


In any case you can express the current dependency to systemd to avoid
errors:

> When stopping sshd /run/sshd/ gets deleted and you get the
> following sftpd error:
> fatal: Missing privilege separation directory: /run/sshd
> and sftpd does not accept new connections anymore etc.

Set BindsTo=sshd.service in the sftpd.service [Unit] section to
tell systemd that sftpd requires sshd, and should be stopped first
if sshd is being stopped.

Also create a Wants:

mkdir /etc/systemd/system/sshd.service.wants
ln -s ../sftpd.service /etc/systemd/system/sshd.service.wants/

..to tell systemd that it should try to start sftpd when sshd starts.

Keep After=sshd.service in sftpd.service.

With those changes you can stop and start sftpd while sshd continues
running like before, if you stop sshd then sftpd is now stopped first,
and if you start either sshd or sftpd when neither is running then
both are started in the right order.


> Here ps fax output :)

That makes sense now. :)


Kind regards

//Peter

More information about the openssh-unix-dev mailing list